Well, I passed. And when I got my e-mail my first thought was...THANK GOD IT'S OVER!
I'd read a slew of reviews about the course before signing up but what I read and tried to prepare myself for just did not match the reality. Sure, there's a ton out there warning that this course requires a ton of extra work, self study, and is intense, etc. But really, does
"Getting shot really hurts" or "Rectal examinations are really uncomfortable" adequately describe the real thing?
I spent a couple of months working through the labs. I work full time so almost every minute I wasn't at work was spent on my computer, in the labs. Weekday evenings? OSCP. Weekends? OSCP. Kid's activities? Sometimes. House maintenance? Television? HA! OSCP was present in damn near every waking moment of my life. As I waited for my exam day, I looked forward to getting my life back.
The OSCP doesn't so much teach you as it tests you. Based on my experience, I would say that OSCP was 50% instruction, 45% learn on your own, 5% getting hints from other students. Something that occurs to me is that most books I've used to learn the subject matter are high on content but low on the ability to apply/practice that knowledge. That is, most of them gave me a wealth of info/techniques but no practical/legal way to practice. OSCP is the opposite. You have a great playground but need to find/develop the info/techniques yourself.
I learned a ton. Enough to make my eyeballs explode out of my head; I can thank Offsec for that. I can also say that there's room for improvement. (I am kind of surprised there was no student feedback form after my lab/exam, I thought that was pretty standard for most courses/certs.) Anyway, there are so many positive reviews out there, 99% probably, so my review points out things that I didn't like or think need improvement. For that reason, it may come across as overly negative and/or critical but I want to state unequivacably that this is not a bad cert. IMHO, it's just not for everyone.
This cert was particularly challenging for me because I'm not a pentester and this is only my second security cert (the other being CEH). I do have a lot of coding experience and have worked with/around computers since graduating college but I had to work my ass off for the OSCP. Anyway, for someone looking at the OSCP for the first time, there are tons of positive reviews out there, don't base your opinion on my experience, check the others out.
ENTRY-LEVEL REDEFINED
-----------------------------------
I pulled this from the OffSec website:
Penetration Testing with BackTrack is an entry-level course but still requires students to have certain knowledge prior to attending the class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required.
I think when most people hear "entry level" they think of their grade school algebra course, or beginning physics, or something similar. For me, the OSCP was about as entry level as Calculus & Quantum Mechanics are entry level mathematics & physics. Really, the first clue should be: 24 hour exam. I initially thought this course was for the neophyte pentester, someone who wanted to break into the field. However, as I progressed through the material and labs, I started to wonder. On one hand, much of the material and some of the lab machines require experience/knowledge far beyond what it provided by the training. Conversely, in other cases the instructions seem very much geared toward a novice pentester and were presented in a very simplistic, detailed, and easy to follow manner. Again, and I'll probably repeat this many times, a pentester might have looked at stuff I struggled with and said, "Everyone knows THAT!!!!"
For an entry level course, the OSCP is decidedly uneven, instructionally speaking. Initially it starts out very basic going so far as to tell you how to start an FTP server. Progress through the buffer overflow section is equally precise and easy to follow. One big help is your own box to experiment on, one not accessible by anyone but the student. That way if something doesn't work, you can rule out another student or leftover exploits. However in the latter modules, the instructional quality falls off dramatically as does the ability to practice techniques using the XP client you're provided. For example, the port forwarding section isn't covered well at all and you're given no ability to practice outside of the student lab machines.
Next, while the course covers most of the stages of penetration testing individually, it's up to the student to put them together. This means the student has to feel his way though the labs on his own. The danger in this is that the student may be learning things in a less than correct manner. Maybe it's just me, but "I learned most of what I know on my own through blogs and wikipedia," is NOT what I want to hear from my doctor or financial planner.
THE LABS
-----------------------------------
The labs are the shining part of this cert. A veritable playground where you can hone your skills without fear of the FBI or other law enforcement agency banging down your door. It's easy to freeze a service or machine as you sling exploits at it and being able to revert a particular server to its original state was critical. I wish that we were given more than 6 reverts in a 24 hour period. One thing I discovered while rooting boxes is that other students failed to clean up after themselves. So I'd get on a box and discover left over exploits or services open that weren't intentionally left open. So I got into the habit of reverting a box before I started to really work on it. Problem was, if I used a revert or two on it as I worked it (easy to do on some of the more fragile services), I'd be out of reverts in no time.
Another problem I had with the labs was that there was no clear route to what is attainable at a given stage. Realistically, most working folk will probably only be able to complete 1-2 modules per week. So your average student will be able to start getting shells and rooting machines by the 3rd week or so. So I'm banging my head against one machine - you know "Try Harder" - for hours, days even, only to find out (thanks to a helpful student on IRC) that I'm not going to be able to get that machine until I get through module X. Great.
Also some of the servers seemed spookily unaligned with a 101 class. Say you're in Algebra 101 and at the end of Chapter 5 they tell you to do the exercises but, by the way, to make things challenging, we threw in some Geometry, Trig, & Calculus questions. Good luck! The big problem is that you don't know if the machine you're banging your head on is an Algebra question or a Calculus one. Try Harder will likely not cut it either. I can throw a 5th grader a Quantum physics question and tell him Try Harder all day but it ain't going to cut it.
The training also lacks a full on end to end example. You're given the basics of each fundamental step of the process (scanning, enumeration, etc) but never given a run through of the getting into a box, why this exploit was chosen over that one, why this payload did work while that one didn't, etc, etc. Unfortunately, what ended up happening with me, at least initially, is point-shoot-miss, point-shoot-miss, point-shoot-hit. Battleship anyone?
THE MATERIAL
-----------------------------------
The Muts videos were excellent. The problem I had was that they often were used to supplement the PDF rather than complement it. Early on, I found holes in the manual that cost me hours, only to find out that the video got it right. I find it easier to reference a manual than a slew of videos so I wish the manual were a bit more thorough and the videos were used to add that extra bit rather than fill in the gaps.
I was disappointed by the number of errors in the lab manual. For example the manual is all about using Ollydbg but in the exercise lab provided, it's Immunity Debug. Are they similar/same? Yes. But for the amount of money it costs, is it too much to ask for updated screen shots in a PDF? I could see if they referenced a tool from BT 4 that changed in BT 5 or if we were shipped a printed manual...but a PDF? Case in point, a line of python code from the book:
print “Fuzzing ” + command + " with length:" +str(len(string))
And the (supposed) corresponding output:
Fuzzing MKD:1
Doesn't take a programming genius to see there's something not right here. These admittedly minor quibbles are quality control issues that I wouldn't even bring up if it were a $30-$50 textbook, but for a $800 class? One thing that could alieviate these issues is if Offsec were to implement system where students/instructors could post errata to the manual/videos. Might save some questions in the IRC as well.
WHAT SAVED ME
-----------------------------------
As I've repeated over and over, I'm not a pentest professional and a lot of networking concepts were foreign to me. What I did have going for me was a strong programming background. I think that's the key to getting through this course and the exam: being strong in a key discipline. It doesn't necessarily have to be programming or networking or pentesting.
But if you just learned that python wasn't just a big snake, Bourne Shell isn't the name of the next Ludlum movie, and SQL isn't someone's misspelling of a movie follow-on...Pain X 1000.I cringe when I read posts/hear from people who think that OSCP is Intro to Hacking where they will come out like Neo or the guy in Swordfish. Again, this is largely a self-taught class that requires you to learn so much on your own, primarily using the web as a resource.
Another thing that helped me was having taken the CEH. While I'm the first to point out the negatives of CEH, it did at least introduce me to some of the basic points of the field. I'd recommend anyone taking this course to at least get a Intro to Ethical HAcking book first.
COST
-----------------------------------
No, not the $$. I'm talking about the personal toll this class took on me and my family. (Again, a pentester probably wouldn't have to devote as much time, so my experience might have been on the extreme side.)
I'm normally pretty active, but at the end of this cert I'd gained 6-7 lbs. Not surprising since weeknights and weekends were spent in front of the computer and when it came to eating I'd typically shove whatever was handy down my piehole. Who has time to cook? Did I mention I was spending 20+ hours a week on this cert? Also, midway through, I started to break out and developed a cold due largely to the aforementioned eating habits & inactivity coupled with loss of sleep, and stress. Obviously my work suffered - when you're staying up until 1 or 2 AM working a server or waking up at 3 - 4 AM thinking about a server...concentrating on your day job is difficult.
Because I found it impossible to concentrate with the usual household noises, I had to closet myself in my office at home. So for more than 2 months, I barely saw much less spoke to my family. When my folks would call, I was usually distracted, tired, and/or busy. Family get-togethers, weekend BBqs? Ha, don't make me laugh. And when they did see me, I was often grumpy from lack of sleep or frustration. Of course this all did not make the spousal unit happy. You can only say, "It'll be over soon" so many times.
I have to give my spouse & kids credit - they were very understanding and supportive. But there were of course several times when being ignored for several months caused some spousal tension. More than once, pleas for attention from the wife turned decidedly frosty when met with, "Hold on, I've almost got this server." And there's no guilt trip like having your kids tell you, "Daddy, we miss you" and your wife say, "I want my husband back"...I owe them - my wife in particular - big time.
POST MORTEM
-----------------------------------
The challenge in any course is finding the right balance between hand holding and letting the student work things out for themselves.
spoon feed <--------------------------------------> here's the book, exam in 8 weeks, later!
I think most people will agree that the OSCP falls closer to the right than the left.
IMHO, too much to the left doesn't benefit the student because you're not engaging any brain cells. Too much to the right...there's more of a chance that a key concept or skill is overlooked. Let me clarify that.
For me, figuring stuff out on my own improves my
retention; it does not equate to learning "better", i.e. a thorough understanding. I think getting trained by an expert typically beats the learn on your own method. Whatever I did in the labs, I know there are probably easier or more efficient methods, things I didn't think of. There are a couple of services that I was never able to crack...does this mean they just weren't vulnerable or did I miss something? No idea.
I once missed a week in my college statistics class and ended up having to teach myself a chapter over a weekend. What I discovered the next week was that assumpions I had made (or divined), even though I got the right answer, ranged between inefficient and incorrect...thankfully, there was an instructor there to correct my shortcomings. This is why I feel the OSCP wasn't an ideal fit for me.
Learning any skill can be made difficult; I could make learning the alphabet difficult. And none of what I learned in the OSCP (either from the materials or on my own) qualifies as rocket science. But the amount of training is nowhere near what I needed in the labs - I estimate I got less than 50% of what I needed for the lab machines. I personally think a little more instructional information ("Try harder" does not qualify) would improve the quality of the student. Not only that, it might result in an increase in enrollment.
It would be interesting to find out what percentage of OSCPers take the OSCE/EE. My guess is it's around 15% but wouldn't be surprised if it was actually < 10%. Based on my canvasing of OSCPs at work, 1 in 8 (and he was a maybe) would consider the OSCE due to the impact it takes on the individual, his family, time, personal life, work...all of the above. Most give me an unequivicable "NO" (usually preceded with "H3ll" and "F@cking") re. OSCE or higher. The irony here is that the very thing that makes the OSCP so sought after also seems stunt enrollment in the other courses.
I am still interested in ethical hacking but count myself in the "Hell No" category when it comes to continuing the Offsec curriculum. Personally, I prefer something closer to "taught" than "tested". I want something where core concepts/methodology are stressed and there's more of a balance between spoonfed & "you're on your own". Until then, I can teach myself using the web/blogs/books/sites (like EH.net)...just like I did with the OSCP (only minus the labs.) So unless there's a pervasive reason to obtain the cert - Maserati/G6/magic genie - I can't justify putting myself much less my family through another round.
General Certification : CPT Practical Submission
